Dear list, I wonder if I can setup a box which provides complete traffic enforcement through tor. The tails project has encouraged me to work in that direction. With the tails documentations and with some online guide like https://cryptoanarchy.org/wiki/Build_your_own_livething I am able to setup my running debian system almost a tor encrypted box, with some small hitches which I belief can easily be solved with your technical guidance. obfsproxy issue ================= I have installed tor,pdnsd,ttdnsd,obfsproxy,polipo,vidalia I have already collected the obfs IP address from a running tor bundle and then placed all those at /etc/tor/torrc. tor is running with obfs. [Q] How can I check online that obfs is functional ? https://check.torproject.org/ simply shows tor is running, but no obfs related information. polipo and firewall ===================== Browsers configured to use polopo ( tor as parent) and the online check is successful (https://check.torproject.org/) [Q] Is polipo really fast ? I hardly see any advantage comparing direct tor connection with out polipo. [Q] What is the iptables rule to redirect all 80 and 443 traffic through polipo 8118 port ? Then no configuration is required at browser level. DNS and firewall ================= I am using pdnsd (caching DNS proxy server) and ttdnsd ( udp to tcp converter ) /etc/pdnsd.conf content with this: global { perm_cache = 2048; cache_dir = "/var/cache/pdnsd"; run_as = "pdnsd"; server_ip = 127.0.0.1; status_ctl = on; min_ttl = 15m; max_ttl = 1w; timeout = 120; } # Tor DNS resolver server { label = "tor"; ip = 127.0.0.1; port = 8853; uptest = none; exclude=".invalid"; policy=included; proxy_only = on; lean_query = on; } # ttdnsd server { label = "ttdnsd"; ip = 127.0.0.2; port = 53; uptest = none; exclude=".invalid",".exit",".onion"; policy=included; proxy_only = on; lean_query = on; } /etc/tor/torrc has DNSPort 8853 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit,.onion So ttdnsd running at port 53 at 127.0.0.2 and tor dns at 127.0.0.1 port 8853. But nmap shows ( #nmap -p 1-65535 localhost ) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 111/tcp open rpcbind 631/tcp open ipp 8118/tcp open privoxy 9040/tcp open tor-trans 9050/tcp open tor-socks 9051/tcp open tor-control no open port for tor-dns [Q] How can I enforce all udp to go through local DNS port and which one 53 or 8853 ? <...> iptables -t nat -A OUTPUT ! -o lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT <...> is not working. Can't do any dns resolution, even ping failed to gmail.com iptables to route all traffic and blocked all non tor ====================================================== LAN and lo (localhost) don't need to go through tor port 80/443 should go through poliop port 8118, all dns query should go through local 53 ( or 8853 ? ) port And the rest of the traffic should go through tor 9050 port, anything left should be dropped. The example iptables given at tails site is not working for me. Could anyone kindly give such a rule sets please ? Many many thanks for designing tor :-) _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE